Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 00:06
Behavioral task
behavioral1
Sample
28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe
-
Size
75KB
-
MD5
b53fafd733a52384c6596c7650a37650
-
SHA1
3bcc782428708e2432caed6fc7556b342779451f
-
SHA256
28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4
-
SHA512
1881b3c716f090f2992d6746ff528dc580bc37b0260c293d3d1516033c4c17dcf1a3d1c2dbe1ccb1e81fb17ee7523eadbf442502b3e6a10376978b480eca9c83
-
SSDEEP
1536:0vQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FHVNK+1yN32DO:0hOmTsF93UYfwC6GIoutXwji2DO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1656-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2088-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/432-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2872-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-469-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-613-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3908-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-660-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-682-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-752-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-802-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-871-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-1040-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-1080-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-1357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 372 dvjjd.exe 2088 228822.exe 432 e20446.exe 4864 hhbbnb.exe 3076 5xlffll.exe 2744 3jddd.exe 5004 xlrlfll.exe 1816 42444.exe 2452 w06664.exe 4092 llllffl.exe 2012 2228442.exe 3680 9jvvj.exe 4248 frlfxrf.exe 2476 lxfxrrl.exe 2092 g6086.exe 2424 7hhhbb.exe 1708 hbnhtt.exe 4788 888844.exe 3604 rxxrxff.exe 4016 tthhbh.exe 3528 fflllrr.exe 4576 02484.exe 4036 q40488.exe 4980 4442664.exe 1508 tnnnhh.exe 1756 pddjv.exe 4804 40844.exe 4456 htnhhh.exe 1104 tnnnhh.exe 4504 68248.exe 3488 1dvdv.exe 2864 tbbthh.exe 928 djdvj.exe 4772 fxfrffr.exe 2648 8420202.exe 1952 24484.exe 3404 3thbtt.exe 1108 nthbtt.exe 5012 nhbtnh.exe 4040 4668668.exe 4232 0608682.exe 4356 g0408.exe 3908 0088088.exe 2328 bbbbtt.exe 4052 2824884.exe 1368 7vdjj.exe 924 m2024.exe 624 vdvvp.exe 3716 w46640.exe 1744 4020484.exe 3248 llllxxf.exe 3892 o264608.exe 3464 7jddv.exe 4900 o806400.exe 4436 4668248.exe 1408 xxrxrfx.exe 3424 44004.exe 4736 xrrlfll.exe 4968 bnttbh.exe 2208 hhbhnt.exe 3640 0448042.exe 2140 280244.exe 4076 66204.exe 3428 llrlxxr.exe -
resource yara_rule behavioral2/memory/1656-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cce-3.dat upx behavioral2/memory/1656-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cd1-9.dat upx behavioral2/memory/372-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd5-13.dat upx behavioral2/memory/2088-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd7-20.dat upx behavioral2/memory/432-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-28.dat upx behavioral2/files/0x0007000000023cd9-32.dat upx behavioral2/memory/3076-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cda-37.dat upx behavioral2/memory/2744-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5004-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdb-43.dat upx behavioral2/files/0x0007000000023cdc-51.dat upx behavioral2/memory/1816-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdd-54.dat upx behavioral2/memory/2452-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cde-60.dat upx behavioral2/files/0x0007000000023cdf-65.dat upx behavioral2/memory/2012-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce0-71.dat upx behavioral2/memory/4248-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce1-79.dat upx behavioral2/files/0x0007000000023ce2-83.dat upx behavioral2/memory/2092-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2476-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce3-89.dat upx behavioral2/memory/2424-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2092-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce4-96.dat upx behavioral2/memory/2424-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce5-102.dat upx behavioral2/files/0x0007000000023ce6-107.dat upx behavioral2/memory/4788-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce7-115.dat upx behavioral2/memory/3604-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cd2-120.dat upx behavioral2/memory/4016-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce8-127.dat upx behavioral2/memory/3528-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce9-132.dat upx behavioral2/files/0x0007000000023cea-136.dat upx behavioral2/files/0x0007000000023ceb-142.dat upx behavioral2/files/0x0007000000023cec-147.dat upx behavioral2/files/0x0007000000023cee-151.dat upx behavioral2/memory/4456-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4804-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cef-157.dat upx behavioral2/files/0x0007000000023ceb-164.dat upx behavioral2/files/0x0007000000023cf0-168.dat upx behavioral2/memory/1104-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf1-175.dat upx behavioral2/files/0x0007000000023cf2-179.dat upx behavioral2/memory/2864-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2864-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4772-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2648-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3404-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4232-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3908-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1368-232-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q28262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o282260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0486026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4622844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 372 1656 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 85 PID 1656 wrote to memory of 372 1656 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 85 PID 1656 wrote to memory of 372 1656 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 85 PID 372 wrote to memory of 2088 372 dvjjd.exe 86 PID 372 wrote to memory of 2088 372 dvjjd.exe 86 PID 372 wrote to memory of 2088 372 dvjjd.exe 86 PID 2088 wrote to memory of 432 2088 228822.exe 87 PID 2088 wrote to memory of 432 2088 228822.exe 87 PID 2088 wrote to memory of 432 2088 228822.exe 87 PID 432 wrote to memory of 4864 432 e20446.exe 88 PID 432 wrote to memory of 4864 432 e20446.exe 88 PID 432 wrote to memory of 4864 432 e20446.exe 88 PID 4864 wrote to memory of 3076 4864 hhbbnb.exe 89 PID 4864 wrote to memory of 3076 4864 hhbbnb.exe 89 PID 4864 wrote to memory of 3076 4864 hhbbnb.exe 89 PID 3076 wrote to memory of 2744 3076 5xlffll.exe 90 PID 3076 wrote to memory of 2744 3076 5xlffll.exe 90 PID 3076 wrote to memory of 2744 3076 5xlffll.exe 90 PID 2744 wrote to memory of 5004 2744 3jddd.exe 91 PID 2744 wrote to memory of 5004 2744 3jddd.exe 91 PID 2744 wrote to memory of 5004 2744 3jddd.exe 91 PID 5004 wrote to memory of 1816 5004 xlrlfll.exe 92 PID 5004 wrote to memory of 1816 5004 xlrlfll.exe 92 PID 5004 wrote to memory of 1816 5004 xlrlfll.exe 92 PID 1816 wrote to memory of 2452 1816 42444.exe 93 PID 1816 wrote to memory of 2452 1816 42444.exe 93 PID 1816 wrote to memory of 2452 1816 42444.exe 93 PID 2452 wrote to memory of 4092 2452 w06664.exe 94 PID 2452 wrote to memory of 4092 2452 w06664.exe 94 PID 2452 wrote to memory of 4092 2452 w06664.exe 94 PID 4092 wrote to memory of 2012 4092 llllffl.exe 95 PID 4092 wrote to memory of 2012 4092 llllffl.exe 95 PID 4092 wrote to memory of 2012 4092 llllffl.exe 95 PID 2012 wrote to memory of 3680 2012 2228442.exe 96 PID 2012 wrote to memory of 3680 2012 2228442.exe 96 PID 2012 wrote to memory of 3680 2012 2228442.exe 96 PID 3680 wrote to memory of 4248 3680 9jvvj.exe 97 PID 3680 wrote to memory of 4248 3680 9jvvj.exe 97 PID 3680 wrote to memory of 4248 3680 9jvvj.exe 97 PID 4248 wrote to memory of 2476 4248 frlfxrf.exe 98 PID 4248 wrote to memory of 2476 4248 frlfxrf.exe 98 PID 4248 wrote to memory of 2476 4248 frlfxrf.exe 98 PID 2476 wrote to memory of 2092 2476 lxfxrrl.exe 99 PID 2476 wrote to memory of 2092 2476 lxfxrrl.exe 99 PID 2476 wrote to memory of 2092 2476 lxfxrrl.exe 99 PID 2092 wrote to memory of 2424 2092 g6086.exe 100 PID 2092 wrote to memory of 2424 2092 g6086.exe 100 PID 2092 wrote to memory of 2424 2092 g6086.exe 100 PID 2424 wrote to memory of 1708 2424 7hhhbb.exe 101 PID 2424 wrote to memory of 1708 2424 7hhhbb.exe 101 PID 2424 wrote to memory of 1708 2424 7hhhbb.exe 101 PID 1708 wrote to memory of 4788 1708 hbnhtt.exe 102 PID 1708 wrote to memory of 4788 1708 hbnhtt.exe 102 PID 1708 wrote to memory of 4788 1708 hbnhtt.exe 102 PID 4788 wrote to memory of 3604 4788 888844.exe 103 PID 4788 wrote to memory of 3604 4788 888844.exe 103 PID 4788 wrote to memory of 3604 4788 888844.exe 103 PID 3604 wrote to memory of 4016 3604 rxxrxff.exe 104 PID 3604 wrote to memory of 4016 3604 rxxrxff.exe 104 PID 3604 wrote to memory of 4016 3604 rxxrxff.exe 104 PID 4016 wrote to memory of 3528 4016 tthhbh.exe 105 PID 4016 wrote to memory of 3528 4016 tthhbh.exe 105 PID 4016 wrote to memory of 3528 4016 tthhbh.exe 105 PID 3528 wrote to memory of 4576 3528 fflllrr.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe"C:\Users\Admin\AppData\Local\Temp\28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\dvjjd.exec:\dvjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\228822.exec:\228822.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\e20446.exec:\e20446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\hhbbnb.exec:\hhbbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\5xlffll.exec:\5xlffll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\3jddd.exec:\3jddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\xlrlfll.exec:\xlrlfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\42444.exec:\42444.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\w06664.exec:\w06664.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\llllffl.exec:\llllffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\2228442.exec:\2228442.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\9jvvj.exec:\9jvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\frlfxrf.exec:\frlfxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\g6086.exec:\g6086.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\7hhhbb.exec:\7hhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\hbnhtt.exec:\hbnhtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\888844.exec:\888844.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\rxxrxff.exec:\rxxrxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\tthhbh.exec:\tthhbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\fflllrr.exec:\fflllrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\02484.exec:\02484.exe23⤵
- Executes dropped EXE
PID:4576 -
\??\c:\q40488.exec:\q40488.exe24⤵
- Executes dropped EXE
PID:4036 -
\??\c:\4442664.exec:\4442664.exe25⤵
- Executes dropped EXE
PID:4980 -
\??\c:\tnnnhh.exec:\tnnnhh.exe26⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pddjv.exec:\pddjv.exe27⤵
- Executes dropped EXE
PID:1756 -
\??\c:\40844.exec:\40844.exe28⤵
- Executes dropped EXE
PID:4804 -
\??\c:\htnhhh.exec:\htnhhh.exe29⤵
- Executes dropped EXE
PID:4456 -
\??\c:\tnnnhh.exec:\tnnnhh.exe30⤵
- Executes dropped EXE
PID:1104 -
\??\c:\68248.exec:\68248.exe31⤵
- Executes dropped EXE
PID:4504 -
\??\c:\1dvdv.exec:\1dvdv.exe32⤵
- Executes dropped EXE
PID:3488 -
\??\c:\tbbthh.exec:\tbbthh.exe33⤵
- Executes dropped EXE
PID:2864 -
\??\c:\djdvj.exec:\djdvj.exe34⤵
- Executes dropped EXE
PID:928 -
\??\c:\fxfrffr.exec:\fxfrffr.exe35⤵
- Executes dropped EXE
PID:4772 -
\??\c:\8420202.exec:\8420202.exe36⤵
- Executes dropped EXE
PID:2648 -
\??\c:\24484.exec:\24484.exe37⤵
- Executes dropped EXE
PID:1952 -
\??\c:\3thbtt.exec:\3thbtt.exe38⤵
- Executes dropped EXE
PID:3404 -
\??\c:\nthbtt.exec:\nthbtt.exe39⤵
- Executes dropped EXE
PID:1108 -
\??\c:\nhbtnh.exec:\nhbtnh.exe40⤵
- Executes dropped EXE
PID:5012 -
\??\c:\4668668.exec:\4668668.exe41⤵
- Executes dropped EXE
PID:4040 -
\??\c:\0608682.exec:\0608682.exe42⤵
- Executes dropped EXE
PID:4232 -
\??\c:\g0408.exec:\g0408.exe43⤵
- Executes dropped EXE
PID:4356 -
\??\c:\0088088.exec:\0088088.exe44⤵
- Executes dropped EXE
PID:3908 -
\??\c:\bbbbtt.exec:\bbbbtt.exe45⤵
- Executes dropped EXE
PID:2328 -
\??\c:\2824884.exec:\2824884.exe46⤵
- Executes dropped EXE
PID:4052 -
\??\c:\7vdjj.exec:\7vdjj.exe47⤵
- Executes dropped EXE
PID:1368 -
\??\c:\m2024.exec:\m2024.exe48⤵
- Executes dropped EXE
PID:924 -
\??\c:\vdvvp.exec:\vdvvp.exe49⤵
- Executes dropped EXE
PID:624 -
\??\c:\w46640.exec:\w46640.exe50⤵
- Executes dropped EXE
PID:3716 -
\??\c:\4020484.exec:\4020484.exe51⤵
- Executes dropped EXE
PID:1744 -
\??\c:\w28444.exec:\w28444.exe52⤵PID:4580
-
\??\c:\llllxxf.exec:\llllxxf.exe53⤵
- Executes dropped EXE
PID:3248 -
\??\c:\o264608.exec:\o264608.exe54⤵
- Executes dropped EXE
PID:3892 -
\??\c:\7jddv.exec:\7jddv.exe55⤵
- Executes dropped EXE
PID:3464 -
\??\c:\o806400.exec:\o806400.exe56⤵
- Executes dropped EXE
PID:4900 -
\??\c:\4668248.exec:\4668248.exe57⤵
- Executes dropped EXE
PID:4436 -
\??\c:\xxrxrfx.exec:\xxrxrfx.exe58⤵
- Executes dropped EXE
PID:1408 -
\??\c:\44004.exec:\44004.exe59⤵
- Executes dropped EXE
PID:3424 -
\??\c:\xrrlfll.exec:\xrrlfll.exe60⤵
- Executes dropped EXE
PID:4736 -
\??\c:\bnttbh.exec:\bnttbh.exe61⤵
- Executes dropped EXE
PID:4968 -
\??\c:\hhbhnt.exec:\hhbhnt.exe62⤵
- Executes dropped EXE
PID:2208 -
\??\c:\0448042.exec:\0448042.exe63⤵
- Executes dropped EXE
PID:3640 -
\??\c:\280244.exec:\280244.exe64⤵
- Executes dropped EXE
PID:2140 -
\??\c:\66204.exec:\66204.exe65⤵
- Executes dropped EXE
PID:4076 -
\??\c:\llrlxxr.exec:\llrlxxr.exe66⤵
- Executes dropped EXE
PID:3428 -
\??\c:\nhtnnn.exec:\nhtnnn.exe67⤵PID:4812
-
\??\c:\802288.exec:\802288.exe68⤵PID:3596
-
\??\c:\1nbhbt.exec:\1nbhbt.exe69⤵PID:4072
-
\??\c:\dvvvp.exec:\dvvvp.exe70⤵PID:4248
-
\??\c:\9nbbtb.exec:\9nbbtb.exe71⤵PID:4604
-
\??\c:\u860646.exec:\u860646.exe72⤵PID:3008
-
\??\c:\282468.exec:\282468.exe73⤵PID:3444
-
\??\c:\pjpvp.exec:\pjpvp.exe74⤵PID:3584
-
\??\c:\0066626.exec:\0066626.exe75⤵PID:3684
-
\??\c:\dpvvv.exec:\dpvvv.exe76⤵PID:916
-
\??\c:\9jvdd.exec:\9jvdd.exe77⤵PID:3748
-
\??\c:\026028.exec:\026028.exe78⤵PID:4424
-
\??\c:\86806.exec:\86806.exe79⤵PID:220
-
\??\c:\1flrllf.exec:\1flrllf.exe80⤵PID:816
-
\??\c:\680622.exec:\680622.exe81⤵PID:4044
-
\??\c:\djppp.exec:\djppp.exe82⤵PID:3628
-
\??\c:\086222.exec:\086222.exe83⤵PID:3352
-
\??\c:\064680.exec:\064680.exe84⤵PID:2232
-
\??\c:\a2408.exec:\a2408.exe85⤵PID:2752
-
\??\c:\e26822.exec:\e26822.exe86⤵PID:4128
-
\??\c:\4280242.exec:\4280242.exe87⤵PID:1548
-
\??\c:\nthbnt.exec:\nthbnt.exe88⤵PID:1620
-
\??\c:\7jvvv.exec:\7jvvv.exe89⤵PID:744
-
\??\c:\q20606.exec:\q20606.exe90⤵PID:2360
-
\??\c:\22804.exec:\22804.exe91⤵PID:2352
-
\??\c:\86082.exec:\86082.exe92⤵PID:4456
-
\??\c:\tntbnn.exec:\tntbnn.exe93⤵PID:4156
-
\??\c:\820040.exec:\820040.exe94⤵PID:1104
-
\??\c:\hbnnnt.exec:\hbnnnt.exe95⤵PID:1324
-
\??\c:\nthnnn.exec:\nthnnn.exe96⤵PID:5056
-
\??\c:\08202.exec:\08202.exe97⤵PID:1052
-
\??\c:\flxxlrx.exec:\flxxlrx.exe98⤵PID:2692
-
\??\c:\0220208.exec:\0220208.exe99⤵PID:2872
-
\??\c:\66284.exec:\66284.exe100⤵PID:544
-
\??\c:\bhnbnh.exec:\bhnbnh.exe101⤵PID:3588
-
\??\c:\lllllrl.exec:\lllllrl.exe102⤵PID:404
-
\??\c:\bbbhth.exec:\bbbhth.exe103⤵PID:3772
-
\??\c:\62406.exec:\62406.exe104⤵PID:4176
-
\??\c:\bbhntb.exec:\bbhntb.exe105⤵PID:3552
-
\??\c:\thnttn.exec:\thnttn.exe106⤵PID:3688
-
\??\c:\lllfxxx.exec:\lllfxxx.exe107⤵PID:3452
-
\??\c:\rlllxfr.exec:\rlllxfr.exe108⤵PID:1248
-
\??\c:\6468222.exec:\6468222.exe109⤵PID:2636
-
\??\c:\lfllfxf.exec:\lfllfxf.exe110⤵PID:2412
-
\??\c:\rlxfxxx.exec:\rlxfxxx.exe111⤵PID:4012
-
\??\c:\ffllllx.exec:\ffllllx.exe112⤵PID:3472
-
\??\c:\ffxxxxr.exec:\ffxxxxr.exe113⤵PID:924
-
\??\c:\jpdvd.exec:\jpdvd.exe114⤵PID:624
-
\??\c:\1flfffx.exec:\1flfffx.exe115⤵PID:3716
-
\??\c:\tntnht.exec:\tntnht.exe116⤵PID:1844
-
\??\c:\bttnhh.exec:\bttnhh.exe117⤵PID:4580
-
\??\c:\2466444.exec:\2466444.exe118⤵PID:2980
-
\??\c:\vjdjd.exec:\vjdjd.exe119⤵PID:2088
-
\??\c:\llfffrr.exec:\llfffrr.exe120⤵PID:1984
-
\??\c:\m0840.exec:\m0840.exe121⤵PID:4516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-